I got responses from Lorraine Baran, Rob De Langhe and Jason Grove. Lorraine and Jason had working configurations but unfortunately I was unable to duplicate their success. Rob said that he didn't believe the netgroups could be used in /etc/passwd anymore and suggested adding code to /etc/profile to control logins. In researching the problem further it seems that Sun introduced a bug with the Solaris8 ldap client patch 108993-18 when the old pam_unix.so was replaced by several smaller modules. Some of the bug reports on sunsolve suggested that a work around would be to use the old pam modules which still exist in /usr/lib/security but this also didn't work for me. The problems I have seen are described on Sunsolve here: http://sunsolve.sun.com/search/document.do?assetkey=1-1-5025128-1 http://sunsolve.sun.com/search/document.do?assetkey=1-1-5019501-1&searchclause=ldap%20nsswitch.conf%20compat I did manage to use LDAP netgroups to limit logins on a system using an unsupported pam module that a Sun security engineer had posted on playground.sun.com here http://playground.sun.com/~darrenm/pam_netgroup.c. I intend to use this module as a work around until the compat mode problem is resolved. <http://sunsolve.sun.com/search/document.do?assetkey=1-21-108993-33-1> Victor Engle wrote: > Hello List, > > I have a Sun Directory server v5.2 configured as a naming service for > my Sun workstation. It currently provides account info, > authentication, group info and auto_* map info. I have been trying to > get netgroups to work because my goal is to use LDAP as a naming > service for servers and I need to be able to allow only specific users > access to the servers. For example on an oracle server I would want to > restrict access to system and database admins by adding something > like "+@sys_dba_admins" The sus_dba_admins would be an ldap netgroup > containing nis triples or netgroups for the sys admins and dba's. > > I configured nsswitch.conf for compatibility mode. Here is the > relavent part of my nsswitch.conf: > > passwd: files compat > passwd_compat: ldap > group: files compat > group_compat: ldap > netgroup: ldap > > Here is my ldap netgroup entry: > > cn=skylab,ou=netgroup,dc=domain_central,dc=local > objectClass=nisNetgroup > objectClass=top > cn=skylab > nisNetgroupTriple=(,vengle,) > nisNetgroupTriple=(,fred,) > creatorsName=cn=directory manager > modifiersName=cn=directory manager > createTimestamp=20041008175127Z > modifyTimestamp=20041008175127Z > > And here is the /etc/passwd file entry. (pwconv added the entry to > /etc/shadow) > > +@skylab:x::::: > > In this configuration, no ldap account can login. The user fred is an > ldap user and is listed in the skylab netgroup. If I add "+fred" to > the passwd file then fred can login so I know the 1 compatibility is > working, just not with the netgroup. > > Do I have a configuration error or is this a bug? > > Any assistance would be appreciated. > > Thanks, > Vic > _______________________________________________ > sunmanagers mailing list > sunmanagers@sunmanagers.org > http://www.sunmanagers.org/mailman/listinfo/sunmanagers _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Tue Oct 12 13:22:17 2004
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:38 EST